At Least Two Flaws in Monero Could Make Some Transactions Partially Traceable

A flaw in ostensibly untraceable cryptocurrency Monero, which has picked up steam as market leader Bitcoin has stumbled in value, may make it possible to trace transactions—and since the entire history of Monero is encoded in its blockchain in what is now known to be a semi-vulnerable method, transactions that happened years ago could potentially be analysed for information on the parties involved.

Per Wired, a team of researchers from institutions including Princeton, Carnegie Mellon, Boston University, MIT, and the University of Illinois at Urbana-Champaign recently released a paper showing that while Monero is designed to mix the “coins” in each transaction with decoys called “mixins,” there are flaws in the way the Monero network handles that mixing. Here’s how one of the tricks works, according to Wired:

The researchers first note that simple tricks allow an observer to identify some of the decoy mixins used to cover for a real coin being spent. In Monero’s first year, for instance, it allowed users to opt out of its privacy protections and spend coins with no mixins at all. (Today, Monero requires a minimum of four mixin decoys for every transaction.) The problem with that opt-out system: When an already spent and identified coin is later as a mixin, it can be easily plucked out of the mix to help identify the remaining coins. If that results in another coin being identified, and that coin is itself used as a mixin in a subsequent transaction, it can reduce the stealth of those later transactions, too.

The second flaw is related to the timing of transactions:

In any mix of one real coin and a set of fake coins bundled up in a transaction, the real one is very likely to have been the most recent coin to have moved prior to that transaction. Before a recent change from Monero’s developers, that timing analysis correctly identified the real coin more than 90 per cent of the time, virtually nullifying Monero’s privacy safeguards.

Monero has since been updated to reduce the chance of successfully identifying which is the real coin and which are the mixins using the second method to 45 per cent, still essentially flip-of-the-coin odds. Neither method can be used to identify the recipient in a transaction, just from who the coin originated, according to Wired. But that’s hardly reassuring for users, given how authorities have repeatedly busted so-called “dark web” markets like Silk Road, AlphaBay, and Hansa, and then used Bitcoin’s blockchain in tandem with recovered records and flipped suspects to track down even more suspected criminals.

The researchers estimate that at most 25 per cent of Monero transactions are for “illicit use,” which is still a huge chunk of the activity on the coin’s network. While these flaws don’t necessarily show that anywhere near all of those illicit transactions could be traced, they do undermine Monero’s security. That’s bad news not for just cybercriminals, but anyone who relies on the coin for anonymity, ranging from regular users to white supremacists.

“Privacy isn’t a thing you achieve, it’s a constant cat-and-mouse battle,” Monero core developer Riccardo Spagni told Wired, adding that some of the flaws are offset by other security features. Regarding the second flaw concerning transaction timing, he added that the team needs to develop a new approach entirely: “There are steps we can take to continue to improve the sampling, but the reality is that this isn’t a solvable problem by just pecking away at it.”

It could be worse: Someone encoded illegal child abuse imagery into the Bitcoin protocol, potentially making holding or spending any bitcoins illegal. [Wired]